WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
February 10, 2004
Intruder Alert 3.6 W32_WINS_Service_Errors Policy

This policy detects errors related to the Windows Internet Name Service (WINS).

The Windows Internet Name Service (WINS) maps IP addresses to NetBIOS computer names and vice versa. A security vulnerability exists in the Windows Internet Naming Service (WINS).

This vulnerability exists because WINS incorrectly validates the length of specially-crafted packets. This could allow an attacker who sent a series of specially-crafted packets to a WINS server to cause the service to fail.

NOTE: This policy only works if the instructions for configuration of event log filtering have been implemented. These instructions are outlined below.

Download ITA W32_WINS_Service_Errors Policy

Affected Platforms

Windows NT/2000/2003/XP

Description

This policy detects errors related to the Windows Internet Name Service (WINS).

Policy Rules include:

  • WINS_Packet_Format_Error
    This rule detects a WINS Packet Format error. Many of these errors may suggest a possible Denial of Service attack against WINS.

ITA Event Log Filtering Configuration Instructions

  1. Browse to the system folder where the ITA agent is installed.

  2. Locate the cols_nt.cfg file.

  3. Insert the following event types to be monitored:

    \system\WINS


Last modified on: Tuesday, 10-Feb-04 18:40:10